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App!. No. 09/909.645 APP 1236 

Amdt. Dated 12/03/2004 

Reply to Office Action of 10/07/2004 



Remarks/Argumente 

Applicants appreciate the courtesy shown to their attorney during telephone 
interviews with the Examiner and the Exaniiner' supervisor, Glenton Burgess, concerning 
the effective date of the primary cited reference, as discussed beiow. 

aaims 1 1 and 12, which were rejected, 35 USC 1 12, second paragraph, have been 
anaended as suggested by the Examiner. Withdrawal of the Section 1 12 rejection is therefore 
requested. 

Claims 3, 4, 9, 10, 11, and 12 have been amended to improve their form. 

Claims 5 and 6 were indicated by the Examiner as being allowable if rewritten in 
independent fonn including all of the limitations of their base and intervening claims. These 
claims have been thus amended and their reconsideration and allowance are therefore 
requested. 

Claims 1-2, 7-10, 13-16, and 18-21 were rejected, 35 USC 102(e). as anticipated by 
Gopeland Patent Application Publication 2002/0244156, Claim 3 was rejected, 35 USC 
103(a), as being unpatentable over Copeland in view of Kaku patent 6,279,097, and claim 
4 as being unpatentable over Copeland and Kaku further in view of Satoh et al patent , 
6,065,064. Acconlingly, the primary reference is the Copeland published application, which 
has a filing date of January 31, 2002, 

Applicants note that their application has a filing date July 20, 2001 which is prior to 
the Copeland application filing date. Accordingly, while the Examiner has at great length 
analyzed and applied the Copeland patent publication disclosure lo applicants' claims, that 
disclosure is not itself available as a reference against applicants' claims. Instead one must 
look at the disclosure set forth in the Copeland provisional application 60/265,194, filed Jan. 
31, 2001. Applicants have obtained a copy of this provisions^ application, and a copy thereof 
is enclosed for the Exanuner*s review and consideration. 

Unlike the Published Patent Application, the provisional application is a very short 
(four pages) discussion of network vulnerabilities and appears to focus on what Copeland 
refers to as LAN scope as a way to detect possible network attacks. It contains no drawings 
and no detailed discussion of the technology involved. It is certainly not an enabling 
disclosure to support the non-provisional Copeland application. 

Applicants submit that the teaching and disclosure of this Provisional Application 
does not contain the specific disclosure relied upon by the Examiner in the Office Action 
and that therefore the Copeland disclosure in the non-provisional patent application is not 
available as prior art against apphcants* invention. 

Applicants also wish to point out to the Examiner that the Copeland Provisional 
Application itself is neither a disclosure or a teaching of applicants* invention. Copeland is 
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directed to an entirely different problem than applicants' invention. In Copeland the goal 
and re&ult are lo identify flows and anaJyze abnormal behavior for intrusion detection. As 
such, Copeland requires identification of port numl>ers and mapping of those port numbers 
to applications (Web, FTP...), In fact, as clearly seen in the Copeland abstract^ Copeland 
describes his invention as *'A port profihng system detects unauthorized network usage." 

Applicants' goal is to identify flows that are characterized by source and destination 
addresses only and specifically does not involve processing of port information or port 
addresses. Applicants address problems of monitoring a network to assure that network 
performance is such as to provide a high quality of service to customers. Further applicants 
enable the identification of CP flows between two monitoring points so that the configuration 
of the monitors can be automated Thus, the applications* the actual meaning of ^'flows", and 
the mechanisms and steps for identifying the flows in Copeland and in applicants' invention 
are all different. 

Accordingly, applicants request withdrawal of the Copeland Published Patent 
Application as prior art and reconsideration and allowance of claims 1-4 and 7-21, in 
addition to claims 5 and 6, and passage of this application to issue. 

If the Examiner considers it would in any way expedite the prosecution of this 
application, the Examiner is invited to telephone applicants* attomey at the number set forth 
below. 



Respectfully submitted. 



C. L. Lau et al 



By. 




Jc^d^W.Falk 
Attorney for Applicants 



Reg. No. 16.154 
(732) 699^5 
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The Use of "Flows" to Analyze Data Netwo± Traffic 

by Dr. John A- Copeland 
DraflJaa.2,2CM)l 

Suppose you are responsible for a corpotate n£itworL The company is improving pioductivity by 
continually running additional network enabled applicadons over this netwoik. the network 
opens windows to the world, open windows can be used by outsiders to exploit vulnerabilities. What 
axe the possibilities that you want to guard against 



One primary danger to avoid is having outside hackers getting confrol of a computer (host) on your 
networL Ctace "in," they can download private company data, use the host to attack other hosts from 
inside the firewall, or use the host to scan and attack other conq)uters anyvdiere in the worid, with your 
network getting the initial blame. Such a takeover from the outside involves three stages; 

^ Stage 1 . a scan of your network to determine what type of computers are on your network, their 

Q Operating systems, their network listener applications (servers), and their Internet Protocol addresses 

py and open port numbers, 

^. Stage 2, plication of an exploit routine that allows the attacker to gain access to the computer, and 

^ Stage 3. the operation ofan application that accomplishes the attacker^s objectives, 

tip 

5^ Another technique being seen with increasing frequency is the installation of a Trojan Hoise program by 
an iimocent looking program, such as an email or rietwork news attachment In this case stage 3 is the 
first stage that shows up in network activity. 

U 

Q If you know what activities are normal for your network in gr^ enough detail, stages I and 3, and 
\rS> sometimes stage 2. are detectable as ^'abnonnal'' network activities (what LANcope calls "^Oat of 
Profile" activities). The exploit routine in stage 2 can be detected by a signature-based InUusion 
Detection Systen (IDS), hut only if it has been seen before, captured, and analyzed by the IDS vendor. 

Characterizing and Tracking Netwotk Activities 

In order to provide knowledge about what is transpiring over an Internet Protocol (IP) data 
communications network, we need to partition the packets into groups that represent a con^lete 
communication transaction between two hosts (computers). There are dozens of Transport Layer 
protocols that can be running on an IP network. Most host^o-host communications will be carried by 
the Transport Control Protocol (TCP). TCP establishes "connections'* that carry a stream of data in 
multiple packets. These packets are numbered so that ^ can be assembled, the receiving host, in 
the correct order with no gaps (missing packets are retransmitted by the source host). Many times hosts 
will use multiple simultaneotis and/or sequential TCP connections to carry out a communications 
session. 
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The User Datagram Protocol (UDP) is another Transport Layer Protocol that is earned by IP networks. 
' This was oiiginaUy designed for sending quick sin^e-packet messages, such as a host asldug a Dcnnain 
Name Server for the IP numeric address associated with a URL like www.LANcQpe.conL Today it is 
also being used to cany streams of multimedia content T^tee reliable dehveiy and packet acknowledge- 
ment is not needed 

The LANcope Monitor program looks at each pack^ and assigns it to a "Flow.'* A Flow is defined, in 
this case^ as the packets exchanged b^ween two hosts that are associated with a single "service.** 
Examples of a service would be using a Web browse* to access a single Web server, or using an email 
program to access a mail server. With UDP, an example of a Flow would be the stream of packets that 
carry data &om a Multimedia server to a host with the appropiiate "player" (e.g., a Web Radio client). 

Most Intrusion Detection Systems piece together the packets in a TCP connectLon to collect the stream 
ofbytes being transmitted, and then look for certain sningsofcharacters in the data (signa^^ Hicse 
signatures are particular text strings that have been discovered in known hacker '*e)q)loits." The more 
signatures in the IDS *s collection, the longer it takes to do an exhaustive search on each data stream. 
Even with all this efiort, this technique will not recognize a brand new exploit that has not been 
analyzed to find a dgnatuie. 

1^ After LAKcope associates each packet with a Flow, certain statistical data is i^dated in the Flow data 

Q record (number of bytes, packets, flag-bit combinations, etc.). No string search is made for signatures, 

ry This technique also is used for UDP Flows. When the Flow ends, the statistical data is examined to 

ifi detemiine the type of transaction that took place, and the data records on the hosts hivolved is updated to 

IJ1 reflect the new Flow information. 

^ Analyzing data at the flow level has several advantages. By collecting data on the complete transaction 

'f (the Flow) before analysis, better decisions can be made. For example host Trudy sends three packets to 

Q host Bob with a source port number fixed at 64,000 and destmation port numbers of 21 , 25, and 1 1 1 . 

1^ Treated as one Flow, this is quickly detennined to be a port scan shice the source port number did not 

Q Without this step, the probe above would lead to the erroneous conclusion that host Bob was running 
K server programs on ports 23, 25, and 1 1 1 (Telnet, SMTP, and SunRPC). Since Bob responded with TCP 
Reset packets he should not be credited with operating these server applicatioiis. 

If the data were collected as three different TCP comiections, each cozmection could be due to a 
common type of error seen on networics. A further ccnrelation step for ail TCP connections would be 
necessary before the important conclusion, made quickly tnm the a single Flow data record, could be 
made. Since there can be many simultaneous TCP connections in progress or recently ended, a good bit 
of CPU time would be required to continually search for such a cdiielation. 

Recently a typical network had an average of 5 TCP or UDP connections per Flow, 1 60 packets per 
Flow, and 50,000 bytes per Flow. While the numbers vary from network to netwodc and day to day, the 
number of d^ records to analyze are much smaller when collected on a Flow basis. 

The analysis of data by Flow allows LANcope to distinguish nonnal connections, usually between a 
client and server, fiom incomplete or rejected transactions (potential probes). A misleading picture of 
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network activity would resuh if the probes genemtwl by a hacker for scanning or exploitation, or even 
' common connection OTors, were treated as actual n^woik connections. 

LANcope examines each flow to see if it has characteristics of a possible probe used by a hacker to map 
out the neiwojk, possiWy looking for hosts vulnerable to various exploits or attacks. These probes 
soinetimes are unnatural, and give themselves away inimediately. Oth^ times they resemble emmeous 
or unsuccessful connections that are seen frequently due to nonnal network operations, and only by 
coirelation with other eveiits can be recognized as part of a scanning or probing activity. To correlate 
these events, each time a host is lespocsible for a pot^tial probe, its Concem Index is increased by a 
certain amount 

By analogy, if a stranger rattled your front door and then said he had the wrong address, yon would have 
no basis to call the police. If he continued down the street doing the same things bis Concem Index 
would increase to the point the calling the police would be appropriate (an IP address scan). The same 
would be tree if he rattled other doors m the same bouse (a TCP or UDP port scan) 

LANcope also examines each Flow shortly after it starts to see if is an Attadc, such as a Half-Open 
Denial of Service Attadc, so Aat immediate notification to network managers can be made. 



fti Ejqaloitation Detection 
5 

fy As anyone who has connected a PC to a cable modem and run a program like Black Ice or Zone Alert 

<n knows, any given IP address is likely to be scanned a dozen times a week. These scans come fiom 

various countries around the world, perhaps fhmi hosts that have previously been compromi^ After a 
while, one upgrades his operating system to the latest (security-fix) releases, closes ports that do not , 

^3 need to be opeo, and ignores the scans that are lookicg for vukerabte systems (however, today's secure 
system may be tomorrow*s vulnerable system). LANcope notes these scans, and provides data on the 
scaiming host that can be obtained frcm techniques such as a DNS name lookup and a traceroute back to 

^ the scanning host Some scanners have software that alerts them >J*^en they have been tracerouted and 
they stop immediately, so LANcope watches closely for a whEe and logs data before launching the 
traceroute. 

b 

1*^ Hie important issue is to detect whenever a scanner finds a vuherable host LANcope is designed to 
recogm2e when a local host responds to a suspidous (High d) host with more that a TCP Reset or an 
ICMP **No Listener " and will then alert ttie network manager immediately. The fact that alarms occur 
only when there is a potential for damage makes the system much more valuable than a system that 
alarms at every scan. 



Setvice T^cTrinp; 

LANcope keeps a database of Services each local host is allowed to offer (as a server), or access 
(as a client). If a Flow does not fit this Host Service Profile, the discr^)ancy is noted and reported. To 
do this it is necessary to determine that the Flow was a valid connection, with a proper handshake and 
data being excharvged, or whether it is an aborted connection (a potential probe). 

This technique will detect a host that is in stage 3 (above), i^toher the compromising software was 
installed by an over-lhe-network exploit, or by a Trojan Horse program. 
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„ Most network managers do not have tiie human resources to keep track of all the computers on their 
oetwork, much less the details ox what client and server applications are bdng nin. LANcope solves this 
problem by automatically building the Host Service Profiles while operating in several progressive 
modes; 

Mode 1: Local hosts, and Host Service Profile points Cclient and server services] are detected and 
profiles are built up. 

Mode 2. Service profiles continue to build up, but every day the new Out-of-Profile (OoP) points 
are reported on a Web p^e. At the end of the day the new points are added to the relevant Host 
Service Profile. 

Mode 3. The profiles are locked New points are not automatically added to the Host Service 
Profiles. The network manager can inspect the list of OoP services on the Web and manually add 
some to the Host Service Profile if they feel it is justified, or delete services from a Host Service 
Profile if they feci the savice should not be allowed (e.g., a personal Web server with vacation 
photos), 

Mode 4. Service Profile Lockdown. As soon as an OoP service is detected, an alann is sent to the 
n^twoik manager. If desired, LANcope can send packets designed to disrupt OoP connections. 

Some of the Trojan Horse programs seen recently set up a server tm one of the SSflOO ports available 
(say 3 1 33 7 on host Alice) and wait for a pardcular type of scanning packet to activate a response. When 
this hap^ LANcope \vill detect the Flow and Alice's OoP server on port 3 1 337 will be reported, with 
an immediate alarm if the system is operating in mode 4. 

A compromised machine -will frequently start using an FTP client to download a '^oot kit" and set up an 
Internet Kelay Chat client (or even an IRC server) to tell all his buddies about the new conquest These 
activities will show as OoP services. 

Hopefiilty you can go for years without a hacker compromising one of your hosts. But what about the 
story in last Sunday's paper about how to download software and hsten to your favorite background 
music, or your hosictown radio station on your PC. Many office workers will do this witiiout having a 
thou^ about tying up limited Internet connection capacity. Fifty Web radios will completely use 
the capacity of a Tl connection. What about the mail clerk who starts downloading tunes via Napster? 
LANcope will again report these activities as OoP services. 

Even if. Service Profile Lockdown is not used, the worst offenders will show up on the list of High 
Traffic Hosts, and on ihe All Local Hosts list with the '^Multimedia" column checked 

Since the wait for a hacker attack will hopeMy be a long boring period, LANcope provides a good deal 
of Netwodc performance data just to remind you that ifs on the job. It also shows you the CI noise level 
so that when an attack does occur^ you can see the CI is well above the normal noise level and the alarm 
should be taken seriously. 
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